> Anything we do has to be automated to be of any real value. Ideally
> if something goes wrong it should be as detectable as possible.

Yeah, but you'd have to part of that at every developer's box.
Can we just agree that having the tip of the main tree always signed
will be enough for now, and postpone the rest of the discussion until
later?
Cheers,
Dirkjan